The first web application that doesn't trust the server

Airborn OS is an in-browser OS
and Google Docs alternative that encrypts your files in the browser.

TLDR: The latest version of our Firefox
extension has been approved. It checks the content at https://www.airbornos.com against a known good
version. This way, you see a warning if anyone in the chain from us to you
wants to, say, steal your password. That could be us, our hosting provider, our
Content Delivery Network (CDN), someone who hacks any of the above, or someone
further down the chain who can get their hands on a certificate for
airbornos.com.

Every so often, someone comes along who wants to make a web application that
can't read the notes you store in it, or view the pictures you store in it, or
something like that. "I'll use a symmetric encryption library! Then user's
notes are secure." Most of them are promptly redirected to this Matasano
article or some other explanation of the fact that if your users are
entering their password and notes on your website, they have to trust you every
time they do that. So why use encryption at all?

We, too, read the articles. Couldn't we cheat? Maybe we could build a
browser extension? In fact we did, for Firefox. It contains checksums of the
first few files you get from airbornos.com. If any of them don't match, you get
a big error page. Or if the checksums are considered out of date, you get a
smaller warning.

The checksums are considered out of date when a new certificate for
airbornos.com has been generated and is in use. Today, that can be done quite
easily and unnoticed, so the warning shouldn't be taken lightly. However, in
the future, Certificate
Transparency will notify people when that happens, so that they can check
if a corresponding extension update has been issued.

These first files, checked by the extension, then continue to fetch and
execute further scripts, which are authenticated with the user's password. If
the user wishes, they are asked before updating those further scripts. The
result is that none of the scripts that the server delivers are trusted at face
value.

But Firefox extensions take weeks to update, right? You can't put a
website's checksum in there!
Our experience so far, with three versions of our extension, has been pretty
good. Still, this is a valid concern. The first few files on airbornos.com have
been purposely designed to remain constant. For example, most of the content on
the homepage is loaded in a sandboxed iframe. This has some downsides, but for
us it's worth it.

Nobody wants to install an extension before using a web
app!
We hope that those who care about their security will. However, not everybody
has to install the extension for everybody to benefit: an attacker doesn't know
in advance whether or not you have the extension installed, after
all.[1] That means they don't know if their attempt
will go unnoticed.

Does this mean Airborn OS is secure?
Maybe. We would like to have a full audit done of Airborn OS and the Firefox
extension in the future. However, if you install the extension, and disable
automatic updates for Airborn OS, you're probably running the code that's on GitHub.

Can my web app do this too?
Yes. Send a
pull request with your web app's checksums. However, make no mistake: the
files for which you include checksums can't change often.[2] So your web app either needs to be very
simple, or you need to build upon this to verify the rest of the web
application in some other way. A simple example would be to check the rest of
the source with the version on GitHub.

Notes

[1] Unless you don't use Firefox. However, in the future we
could solve that by 1) releasing an extension for other browsers or 2)
impersonating other browsers in our Firefox extension for some users.

[2] If you want to help decide on branding for the addon,
or want help with making the first few files of your web app static, shoot me
an email (see GitHub).

Search

About Airborn OS

Airborn OS is an in-browser OS and Google Docs alternative that encrypts your files in the browser.